package se.swedenconnect.opensaml.xmlsec.keyinfo.provider;

import java.security.interfaces.ECPrivateKey;
import java.util.Base64;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.security.auth.x500.X500Principal;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.collection.LazySet;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.criteria.impl.EvaluableX509DigestCredentialCriterion;
import org.opensaml.security.credential.criteria.impl.EvaluableX509SubjectKeyIdentifierCredentialCriterion;
import org.opensaml.security.credential.criteria.impl.EvaluableX509SubjectNameCredentialCriterion;
import org.opensaml.security.criteria.KeyAlgorithmCriterion;
import org.opensaml.security.criteria.KeyLengthCriterion;
import org.opensaml.security.x509.X509DigestCriterion;
import org.opensaml.security.x509.X509IssuerSerialCriterion;
import org.opensaml.security.x509.X509SubjectKeyIdentifierCriterion;
import org.opensaml.security.x509.X509SubjectNameCriterion;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.encryption.AgreementMethod;
import org.opensaml.xmlsec.encryption.EncryptedKey;
import org.opensaml.xmlsec.encryption.EncryptionMethod;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.KeyInfoCredentialContext;
import org.opensaml.xmlsec.keyinfo.impl.KeyInfoResolutionContext;
import org.opensaml.xmlsec.keyinfo.impl.LocalKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.AbstractKeyInfoProvider;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.X509Data;
import org.opensaml.xmlsec.signature.X509Digest;
import org.opensaml.xmlsec.signature.X509IssuerSerial;
import org.opensaml.xmlsec.signature.X509SKI;
import org.opensaml.xmlsec.signature.X509SubjectName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.opensaml.xmlsec.encryption.KeyDerivationMethod;
import se.swedenconnect.opensaml.xmlsec.encryption.support.ECDHSupport;
import se.swedenconnect.opensaml.xmlsec.encryption.support.EcEncryptionConstants;

/* loaded from: input_file:se/swedenconnect/opensaml/xmlsec/keyinfo/provider/KeyAgreementMethodKeyInfoProvider.class */
public class KeyAgreementMethodKeyInfoProvider extends AbstractKeyInfoProvider {
    private static final Logger log = LoggerFactory.getLogger(KeyAgreementMethodKeyInfoProvider.class);
    private List<Credential> localCredentials;

    public KeyAgreementMethodKeyInfoProvider() {
        this.localCredentials = null;
        log.debug("KeyAgreementMethodKeyInfoProvider being created without local credentials - Will only function with LocalKeyInfoCredentialResolver");
    }

    public KeyAgreementMethodKeyInfoProvider(@Nonnull @ParameterName(name = "credentials") List<Credential> list) {
        this.localCredentials = null;
        Constraint.isNotNull(list, "Input credentials list cannot be null");
        this.localCredentials = (List) list.stream().filter(credential -> {
            return ECPrivateKey.class.isInstance(credential.getPrivateKey());
        }).collect(Collectors.toList());
        if (this.localCredentials.isEmpty()) {
            this.localCredentials = null;
        }
    }

    public boolean handles(XMLObject xMLObject) {
        if (!AgreementMethod.class.isInstance(xMLObject)) {
            return false;
        }
        AgreementMethod agreementMethod = (AgreementMethod) xMLObject;
        if (!EcEncryptionConstants.ALGO_ID_KEYAGREEMENT_ECDH_ES.equals(agreementMethod.getAlgorithm())) {
            log.debug("{} does not handle {} agreement method", agreementMethod.getAlgorithm());
            return false;
        }
        KeyDerivationMethod keyDerivationMethod = getKeyDerivationMethod(agreementMethod);
        if (keyDerivationMethod == null) {
            log.info("No KeyDerivationMethod available for {}", EcEncryptionConstants.ALGO_ID_KEYAGREEMENT_ECDH_ES);
            return false;
        }
        if (EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT.equals(keyDerivationMethod.getAlgorithm())) {
            return true;
        }
        log.debug("KeyDerivationMethod {} is not supported for {}", keyDerivationMethod.getAlgorithm(), EcEncryptionConstants.ALGO_ID_KEYAGREEMENT_ECDH_ES);
        return false;
    }

    public Collection<Credential> process(KeyInfoCredentialResolver keyInfoCredentialResolver, XMLObject xMLObject, CriteriaSet criteriaSet, KeyInfoResolutionContext keyInfoResolutionContext) throws SecurityException {
        CollectionKeyInfoCredentialResolver localCredentialResolver;
        if (!handles(xMLObject)) {
            return null;
        }
        if (this.localCredentials != null) {
            localCredentialResolver = new CollectionKeyInfoCredentialResolver(this.localCredentials);
        } else {
            if (!LocalKeyInfoCredentialResolver.class.isInstance(keyInfoCredentialResolver)) {
                log.debug("KeyAgreementMethodKeyInfoProvider can not resolve any EC local credentials");
                return null;
            }
            localCredentialResolver = ((LocalKeyInfoCredentialResolver) keyInfoCredentialResolver).getLocalCredentialResolver();
        }
        AgreementMethod agreementMethod = (AgreementMethod) xMLObject;
        KeyAlgorithmCriterion keyAlgorithmCriterion = (KeyAlgorithmCriterion) criteriaSet.get(KeyAlgorithmCriterion.class);
        if (keyAlgorithmCriterion == null || keyAlgorithmCriterion.getKeyAlgorithm() == null) {
            log.error("Bad call to KeyAgreementMethodKeyInfoProvider - KeyAlgorithmCriterion is missing");
            throw new SecurityException("KeyAlgorithmCriterion is missing");
        }
        KeyLengthCriterion keyLengthCriterion = (KeyLengthCriterion) criteriaSet.get(KeyLengthCriterion.class);
        if (keyLengthCriterion == null) {
            log.debug("OpenSAML did not give us KeyLengthCriterion, trying to find EncryptionMethod->Algorithm ...");
            keyLengthCriterion = createKeyLengthCriterion(agreementMethod);
            if (keyLengthCriterion == null) {
                log.error("Bad call to KeyAgreementMethodKeyInfoProvider - KeyLengthCriterion is missing");
                throw new SecurityException("KeyLengthCriterion is missing");
            }
        }
        try {
            Iterator it = localCredentialResolver.resolve(buildCriteriaSet(agreementMethod)).iterator();
            while (it.hasNext()) {
                try {
                    BasicCredential basicCredential = new BasicCredential(ECDHSupport.getKeyAgreementKey(((Credential) it.next()).getPrivateKey(), agreementMethod, keyAlgorithmCriterion.getKeyAlgorithm(), keyLengthCriterion.getKeyLength().intValue()));
                    KeyInfoCredentialContext buildCredentialContext = buildCredentialContext(keyInfoResolutionContext);
                    if (buildCredentialContext != null) {
                        basicCredential.getCredentialContextSet().add(buildCredentialContext);
                    }
                    LazySet lazySet = new LazySet();
                    lazySet.add(basicCredential);
                    return lazySet;
                } catch (SecurityException e) {
                    log.error("Failed to get key agreement key - " + e.getMessage(), e);
                }
            }
            log.info("Could not derive a key agreement key - no matching credentials found");
            return null;
        } catch (ResolverException e2) {
            log.error("Failed to resolve credential for ECDH key agreement", e2);
            throw new SecurityException("Resolver error", e2);
        }
    }

    private CriteriaSet buildCriteriaSet(AgreementMethod agreementMethod) {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (agreementMethod.getRecipientKeyInfo() == null || agreementMethod.getRecipientKeyInfo().getX509Datas().isEmpty()) {
            return criteriaSet;
        }
        X509Data x509Data = (X509Data) agreementMethod.getRecipientKeyInfo().getX509Datas().get(0);
        try {
            if (!x509Data.getX509Certificates().isEmpty()) {
                criteriaSet.add(new EvaluableX509CertificatesCredentialCriterion(x509Data.getX509Certificates()));
            }
            if (!x509Data.getX509IssuerSerials().isEmpty()) {
                X509IssuerSerial x509IssuerSerial = (X509IssuerSerial) x509Data.getX509IssuerSerials().get(0);
                if (x509IssuerSerial.getX509IssuerName() != null && x509IssuerSerial.getX509SerialNumber() != null) {
                    criteriaSet.add(new X509IssuerSerialCriterion(new X500Principal(x509IssuerSerial.getX509IssuerName().getValue()), x509IssuerSerial.getX509SerialNumber().getValue()));
                }
            }
            if (!x509Data.getX509SKIs().isEmpty()) {
                criteriaSet.add(new EvaluableX509SubjectKeyIdentifierCredentialCriterion(new X509SubjectKeyIdentifierCriterion(Base64.getDecoder().decode(((X509SKI) x509Data.getX509SKIs().get(0)).getValue()))));
            }
            if (!x509Data.getX509SubjectNames().isEmpty()) {
                criteriaSet.add(new EvaluableX509SubjectNameCredentialCriterion(new X509SubjectNameCriterion(new X500Principal(((X509SubjectName) x509Data.getX509SubjectNames().get(0)).getValue()))));
            }
            if (!x509Data.getX509Digests().isEmpty()) {
                X509Digest x509Digest = (X509Digest) x509Data.getX509Digests().get(0);
                criteriaSet.add(new EvaluableX509DigestCredentialCriterion(new X509DigestCriterion(x509Digest.getAlgorithm(), Base64.getDecoder().decode(x509Digest.getValue()))));
            }
        } catch (Exception e) {
            log.error("Error during building of criteria set for KeyAgreementMethodKeyInfoProvider - {}", e.getMessage(), e);
        }
        return criteriaSet;
    }

    private KeyLengthCriterion createKeyLengthCriterion(AgreementMethod agreementMethod) {
        Integer keyLength;
        EncryptionMethod encryptionMethod = null;
        if (KeyInfo.class.isInstance(agreementMethod.getParent()) && EncryptedKey.class.isInstance(agreementMethod.getParent().getParent())) {
            encryptionMethod = agreementMethod.getParent().getParent().getEncryptionMethod();
        }
        if (encryptionMethod == null) {
            return null;
        }
        if (encryptionMethod.getKeySize() != null && encryptionMethod.getKeySize().getValue() != null) {
            return new KeyLengthCriterion(encryptionMethod.getKeySize().getValue());
        }
        if (encryptionMethod.getAlgorithm() == null || (keyLength = AlgorithmSupport.getKeyLength(encryptionMethod.getAlgorithm())) == null) {
            return null;
        }
        return new KeyLengthCriterion(keyLength);
    }

    private static KeyDerivationMethod getKeyDerivationMethod(AgreementMethod agreementMethod) {
        List unknownXMLObjects = agreementMethod.getUnknownXMLObjects(KeyDerivationMethod.DEFAULT_ELEMENT_NAME);
        if (unknownXMLObjects.isEmpty()) {
            return null;
        }
        return (KeyDerivationMethod) unknownXMLObjects.get(0);
    }
}
